package com.lushuan.ch10_springboot_security.controller;

import com.lushuan.ch10_springboot_security.entity.SensitiveData;
import com.lushuan.ch10_springboot_security.entity.UserDTO;
import com.lushuan.ch10_springboot_security.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

import java.util.List;

@RestController
@RequestMapping("/api/admin")
@PreAuthorize("hasRole('ADMIN')")  // 类级别的权限控制，该类下所有方法都需要ADMIN角色
public class AdminController {

    @Autowired
    private UserService userService;

    @GetMapping("/users")
    public List<UserDTO> getAllUsers() {
        return userService.getAllUsers();
    }

    // 可以在方法级别覆盖类级别的权限设置
    @PreAuthorize("hasAnyRole('ADMIN','SUPER_ADMIN')")
    @GetMapping("/sensitive-data")
    public List<SensitiveData> getSensitiveData() {
//        return sensitiveDataService.getAllData();
        return null;
    }
}